How to improve information technology strategic planning effectiveness using balanced scorecard, risk and maturity analysis, case study health information technology? A qualitative study

Abstract Background and Aims Although many health strategic plans have been developed by scholars and organizations, they still suffer from a limited view. Since most health‐related strategies in the future will depend on information technology (IT), as the main driver of today's industry, technology, and society, IT merits attention in health strategic plans. While the majority of the health strategic plan developed based on the interviews and questioner and these plans didn't consider the role of IT in their actions, this research will develop a framework to integrate risk and maturity analysis with the strategic planning process in health information technology strategic plan. Methods The present research introduces an integrated framework based on a balanced scorecard (BSC) and control objectives for information and related technologies (COBIT). Also, The American Productivity & Quality Centre framework and COBIT were employed in this model to define the processes and activities of health IT (HIT) organizations. The organization's maturity and risk are analyzed in terms of information and management criteria using BSC, COBIT, and the analytical hierarchy process. Results Later this model was implemented in a Remote Health care System to improve the strategic management process for this technology. Using this framework, 17 business goals have been developed and presented for the case. Also, the total related risk was 48% and the maturity level was at 1/18. The results are presented as decision‐making parameters and strategies for successful IT implementation. Conclusion The presented framework provides deeper insight for the decision‐maker through integrating risk and maturity analysis in the HIT strategic planning process. The results are presented as decision‐making parameters and strategies for successful IT implementation. These strategies help investors decide about resource allocation based on the risk‐taking capability, certainty, and uncertainty results of the plan.


Health information technology (HIT) is a combination of IT and all
aspects of the healthcare domain, for example, medical sciences, health management, health economy, and nursing. All healthcare organizations and businesses should have a strategic plan for their future HIT based on visions, missions, and goals. Owing to the importance of HIT, considerable effort has been made to provide proper strategic plans in this field. The Office of the National Coordinator for HIT (ONC) is among the principal organizations developing strategic plans for HIT. 1,2 In addition to the ONC's strategic plans, various other plans [3][4][5] have been developed and implemented for this purpose.
ONC presented its first HIT strategic plan in 2011 as the Federal Health Information Technology Strategic Plan, 1 which commenced HIT implementation in the healthcare sector based on five goals, all aiming to achieve the acceptance and exchange of information, build trust among people in HIT, and empower individuals with HIT. Since this strategic plan was based on the opinion of experts and community information, it was a general and conceptual model that lacked computational accuracy and, therefore, could not communicate with nonfederal organizations. The strategies were not costeffective, and mobile-based health apps were not employed.
The second plan of this office was developed and published in 2015 for 2015-2020. 2 This strategic plan included four objectives and mainly sought to change personal and public health based on IT systems and improve the IT infrastructure. As a result, its implementation offers high-quality care at a low cost and increases the healthy population.
Nevertheless, its weaknesses include a lack of a global perspective for identifying and obtaining information from patients, the lack of harmonization of federal and state regulations, and the lack of risk analysis of the strategic plan and required measures for preventing risks.
Ritchie, William et al. indicated that in many hospitals and healthcare systems cost of doing business is the only tool to assess the quality of managers in this system. This study also indicated that the strategic goals of healthcare systems are achievable through the lens of balanced scorecard (BSC), and this tool could give new insights into the operational processes. 6 In another study, the researcher shows that adopting BSC in the integration of big data and strategic management, not only will help to overcome complexities in the organizations, but also will help to improve the effectiveness of the strategic plan performance, and new insight will be available for managers decisions. 7 In a study related to cloud adoption in healthcare systems, researchers found that the lack of interoperability and integration of the traditional healthcare information systems slowed down the expansion of e-health. Although Cloud computing was a strategic goal for hospitals, there was complexity in execution due to low level of reliability and maturity in IT systems. 8 The McKesson Corporation suggested that the strategic plan will be updated by developing roadmaps for high-priority issues, encouraging collaboration on standard development, prioritizing administrative simplification, starting complete works to exchange the selected document types through direct exchange, harmonizing laws and regulations about health information privacy, security, and providing a risk-based regulatory framework for HIT. 9 In addition to the ONC strategic plans, various other plans [3][4][5]10,11 were also developed and implemented in this field. Previous studies mainly have focused on providing strategic plans using methods such as surveys, questioners from experts and communities, and quality and cost analysis. However, since HIT is developing on IT infrastructures, it is necessary to analyze the risk and maturity of the HIT to prevent failures and casualties and increase the reliability of HIT systems. Whereas none of the previous studies were based on risk analysis and maturity assessment of the IT in the organization. Moreover, they did not address the quantitative criteria of IT, for example, reliability, resources, time, risk, and maturity, in the process of strategic planning. It is, therefore, necessary to analyze HIT risk and maturity since it is developed based on IT infrastructures. Hence by considering the importance of IT in the future of the Health sector especially by the emergence of the COVID-19 pandemic, the lack of IT and health-integrated planning framework to improve the effectiveness and efficiency of plans lead to the following research question: how can IT risk and maturity integrate into Health strategic planning to improve the effectiveness of the plan?
Thus, the main goal of this study is to provide a framework that aims to fill the research gap in previous plans and integrate risk and maturity assessment in the HIT planning process. The findings of risk and maturity analyses can serve as the input for developing a strategic plan for HIT technology execution and development.
In this paper, an integrated algorithm consisting of the balanced scorecard (BSC) model and COBIT framework is introduced for strategic plan development in HIT organizations. The strategic plan proposed for the HIT domain comprises risk and maturity analysis in terms of management metrics, which include the elevation of IT and its processes from four aspects of the BSC method. 12 The COBIT framework was chosen because the procedures for the extraction of strategies from the strengths, weaknesses, opportunities, and threats (SWOT) analysis and the identification of KPIs from IT critical success factors (CSFs) are unknown in the BSC method. 13 Moreover, IT projects are riddled with greater complexity due to real-time and online integrated service-oriented systems.
The algorithm proposed for strategic planning demonstrates the organizations' present maturity and risk ratio according to business goals (BGs) for each criterion. The proposed strategic planning model also presents the maturity and risk analysis for the health organization's current status to evaluate IT performance from each of the four BSC perspectives. The resulting strategic plan can offer an additional perspective to managers and decision-makers to better understand HIT and prevent failures in HIT technology execution and expansion.

| METHODOLOGY
This study used focus group discussion as the method to gather data for SWOT analysis, identifying CSF's and developing the strategic plan. This paper proposed an eight-step algorithm to develop a strategic plan for HIT implementation (Figure 1).

| COBIT IT governance framework
Initially, four domains and 34 processes were defined according to the COBIT framework ( Figure 2). 14 The BGs and IT goals (ITGs) of COBIT were also reviewed and modified by experts for the organization.

| APQC process classification
The APQC's industry-specific process classification framework was adopted, and relative activities were identified. 15 These activities were specified as 34 COBIT processes to form the hierarchical structure. A group of experts mapped the relations between APQC activities and COBIT processes to match and sort the APQC and COBIT framework results.

| COBIT, BSC, and standard model
A comparison of the constituent elements of the COBIT 4.1, standard strategic planning, and BSC shows that: • The actions common between the three systems include the development of strategic alignment visions, objectives, and performance evaluation.
• Both standard strategic planning and COBIT 4.1 obtain IT resource allocation and management and action plans.
• Both BSC and COBIT 4.1 insist on IT goals and BGs and strategic objectives' efficiency and effectiveness assessment.
• Standard strategic planning provides competitive advantages based on a strategic approach. Therefore, internal and external environment analysis and opportunity and threats analysis are required.
• COBIT 4.1 emphasizes risk analysis and maturity assessment of the organization's status quo.
• BSC focuses on the long-term development of the organization and evaluates the strategic outcomes of the organization based on four perspectives.
A comparison of these methods is illustrated in Figure 3.

| Relative importance (RI) based on AHP
In this step, time and cost were estimated for each IT-related activity, and the RI of the activities of all processes was accordingly calculated. After that, based on the RI of activities and the relation map between activities and processes, the RI of each process in the organization was calculated by the AHP. 16

| Maturity assessment
Herein, maturity was calculated based on the COBIT 4.1 framework method. Based on this model proposed in the COBIT framework 11, organizations are classified into five levels of maturity, ranging from the initial to the optimized organization.
The only difference between the proposed and the COBIT methods is that COBIT assumes that all activities have the same weight and effect on the process maturity, whereas the proposed method assumed that the activities' weight affects process maturity.
A two-step procedure was adopted to determine process maturity. In the first step, the process realization percentage was calculated based on the realization percentage of the related activities. In the second step, process maturity was determined by evaluating and calculating the number of attributes.

| Risk assessment
To assess risk in the IT organization, 13 operational risks were first considered as the most common and risky incidents in IT projects, agreed upon by a team of experts: (1) Inappropriate use of IT tools.

| SWOT analysis
In this step, the SWOT framework 17 was utilized to evaluate the organization's competitive position and perform strategic planning. 18 To determine the strengths and weaknesses, the maturity assessment results were used since they demonstrated the capabilities and flaws of the 34 processes and four domains of the IT organization. Next, the risk assessment results were applied to determine the opportunities and threats by providing valuable data on factors affecting the IT organization from external perspectives.

| Developing the IT strategic plan based on BSC
The findings of the SWOT analysis were used by the group of experts, and strategies were developed for the related technology. The BGs resulting from SWOT was later reviewed by the experts and categorized under the four BSC perspectives. 12 The strategies and data gathered from previous steps and the BSC were then employed to develop a strategic plan according to the related technology's risk and maturity.
Moreover, the risk and maturity of BGs and four BSC perspectives were calculated. according to the relations between 34 processes and ITGs, ITGs to BGs, and the RI. Knowing the maturity and risk of each perspective opens up horizons to managers and stakeholders for making more effective decisions.

| IMPLEMENTATION
The remote health monitoring system (RHM) as a HIT technology was adopted as the case study. RHMs are online multi-dimensional decision-making patient-based health information processing networks proposed as a comprehensive tool for effective and efficient medical information sharing. The conceptual IT architecture of RHM is demonstrated in Figure 5.
Initially, a committee was assembled comprising 12 experts in healthcare, IT managers, and decision-makers. The experts then reviewed and modified 28 ITGs of COBIT and adapted them to the case study. Consequently, 18 ITGs were identified for the HIT. In addition, the relationship between these 18 ITGs and the 34 processes of the COBIT framework was established based on the opinion of experts and organization managers. Table 1 lists the results.
Following the proposed procedure, APQC introduced 13 main processes for healthcare service providers, which were then divided into 1985 activities. The experts adapted the APQC process framework to the case study. The committee developed a process map and refined these 1985 activities into 1634 activities in the case.
The activities were then categorized under the 34 processes of the COBIT architecture. Therefore, the RHM technology was divided into 1634 activities under 34 processes of the COBIT 4.1 framework.
Afterward, the weight of each activity was calculated and was used to determine the RI of each process. Results are presented in Table 2.
Maturity was also calculated using the COBIT framework, and risk assessment was performed based on AHP (Table 3).
A SWOT analysis was conducted to analyze the advantages and disadvantages of the implementation of remote healthcare system (Table 4).
F I G U R E 5 The conceptual architecture of the remote health monitoring (RHM) system After that, the strategies extracted from the SWOT analysis were adopted, and the BSC was developed for the RHM (Table 5).
At this stage, the correlation between BGs and ITGs was determined ( Table 6).
The 17 identified BGs and their assortment under the four BSC perspectives served as a basis for strategic roadmap development ( Figure 5). Finally, the risk and maturity of BSC perspectives and BGs are presented in Table 7.
The implementation of RHM in the organization has an average maturity level of 1.18 and an average risk level of 48%. Based on the COBIT framework, this level of maturity and risk means that processes can be implemented and primary goals can be achieved.

| RESULTS
To meet management goals such as communicating with the organization's requirements, utilizing a specific model, identifying key resources, and defining management control goals, the need to design a model whose main features are focusing on business goals, being process-oriented, controlling, and measurable is necessary.
Providing IT services Business requirements include business strategies, service planning, organizational planning, and technology planning, five strategies are offered in IT.
• A service strategy that includes demand management and IT management processes.
• A Design strategy includes information security management processes, service continuity management, and supplier management.
• The transfer strategy includes configuration management and change management services and knowledge management processes.
• Operational strategy, which includes operations management and management of problems and risks.
• Improvement strategies include improvement and control processes at the service delivery level.
Some of the actions that are proposed to improve management services are: • Preparation and design of the regulations and a comprehensive model of governance and management of IT and implementation of the IT governance organization procedures.  1  Improve customer orientation and service.  WT  W1, W7  T2, T3, T5, T6   2  Ensure compliance with external laws and regulations.  ST  S3, S4  T2, T4, T5, T6   3  Establish service continuity and availability.  SO  S1, S3,  The roadmap provided by this model can be seen in Figure 6, which is presented in four perspectives in accordance with BSC and contain 17 IT business goals of the HIT sector.
F I G U R E 6 Balanced scorecard (BSC) strategic plan roadmap for health information technology (HIT) Herein, an integrated algorithm of BSC and COBIT was proposed and applied for the strategic planning of health and health-related ICT. In this algorithm, activities were controlled through KPI, budget allocations, and performance evaluation systems to match organizational goals, ITGs, and business objectives to organizational missions and visions. It was concluded that, by assessing and analyzing risk and maturity in IT and developing a strategic plan, the performance of IT systems will be significantly enhanced, while the risk and cost of technology execution will be decreased (i.e., service quality, compatibility, support quality, information quality, usage time, accessibility, ease of use, response time, compatibility, social influence, understandability, and self-efficacy). The IT management risk and maturity were evaluated by collecting data in 34 processes and four domains. The results of the paper can be applied to health-related technologies to promote decision-making for future strategies.
After calculating and confirming the results, the findings were provided to the organization's management to be exploited in: (1) allocation of limited resources to activities and processes.
(2) Optimized and effective use of investment in IT.
(4) Effective use of IT for growth and development.
(5) Effective use of IT flexibility in commercial terms.
Future studies can utilize this algorithm and methodology for the strategic planning of other health technologies. Also, this framework could be used in other organization and industries which IT count as one of the most essential in developing strategic plans. In addition, future studies could be conducted with more experts in the field and using IT infrastructure reliability analysis in addition to risk and maturity analysis. writingreview and editing.

ACKNOWLEDGMENTS
The supporting source/financial relationships had no such involvement in this study. All authors have read and approved the final version of the manuscript. Hossein Moinzad had full access to all of the data in this study and takes complete responsibility for the integrity of the data and the accuracy of the data analysis.

CONFLICT OF INTEREST
The authors declare no conflict of interest.

DATA AVAILABILITY STATEMENT
The data that support the findings of this study are available on request from the corresponding author. The data are not publicly available due to privacy or ethical restrictions.

TRANSPARENCY STATEMENT
The lead author Hossein Moinzad affirms that this manuscript is an honest, accurate, and transparent account of the study being reported; that no important aspects of the study have been omitted; and that any discrepancies from the study as planned (and, if relevant, registered) have been explained.